<!DOCTYPE html>
<html>
    <head>
        <title>反XSS攻击</title>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <meta http-equiv="X-UA-Compatible" content="IE=edge" /> 
        <script src="../avalon.js"></script>
        <script>
            avalon.define("test", function(vm) {
                vm.aaa = "<img onclick=333 src='http://www.baidu.com/img/baidu_jgylogo3.gif'>" +
                        "<form onclick=333 action='javascript:alert(1)'></form>" +
                        "<p onclick='aaa' onclick2=\"ddd\" title=eee onpress=eee>onclick=eee<span onmouseup='ddd'>ddd</span></p><script>alert(1)<\/script>"
            })

        </script>
    </head>

    <body ms-controller="test">
        <div>{{aaa|sanitize|html}}</div>
    </body>
</html>